cPanel Forums
01-14-2006, 07:37 PM
|
|||
|
|||
|
mass mail!!! HELP
Hi, someone on my server is sending out mass mail which is slowing my server right down.
All i can see in the CPU usage section is 100s of the following process: 18284 mailnull 0 0.0 0.4 /usr/sbin/exim -Mc 1ExvkC-0004kd-C9 How can i find out what account is send this mail? Thanks.     
|
|
02-13-2006, 09:16 PM
|
|||
|
|||
|
Well, there's a few ways.
First - look at the obvious. If someone is abusing one of your customer's contact/feedback forms, look at the addresses on the outgoing mail. Do they all include a recipient like 'info@oneofyourdomains.com' ? Chances are, that's your culprit because the form is also hardcoded to include your customer as a recipient. If they are abusing some other kind of form, you might be able to do some other investigating. Issue this command - grep 'cwd=' /var/log/exim_mainlog . If your logging allows it*, you should see a great deal of output. I'd be suspicious of a lot of anything that appears to point at /home (ie here's a legitimate one from one of my customer's forms - "2006-02-14 11:33:50 cwd=/home/betterhm/public_html 3 args: /usr/sbin/sendmail -t -i"). Hopefully one of these two should get you some results. * You may need to increase the logging of exim. WHM -> Service Configuration -> Exim Configuration Editor -> Advanced Mode. In the VERY TOP box, add "log_selector = +all" (without the quotes) and save.
|
|
02-13-2006, 10:15 PM
|
|||
|
|||
|
Exim statistics from 2006-02-12 04:20:30 to 2006-02-14 03:09:39
Grand total summary ------------------- At least one address TOTAL Volume Messages Hosts Delayed Failed Received 95MB 22758 347 7379 32.4% 12976 57.0% Delivered 55MB 18780 1898 Deliveries by transport ----------------------- Volume Messages boxtrapper_autowhitelist 340KB 269 local_delivery 42MB 432 mailman_virtual_transport 342 1 remote_smtp 12MB 18000 virtual_userdelivery 1331KB 78 Messages received per hour (each dot is 84 messages) ---------------------------------------------------- 00-01 3954 ............................................... 01-02 2805 ................................. 02-03 2151 ......................... 03-04 598 ....... 04-05 297 ... 05-06 419 .... 06-07 510 ...... 07-08 278 ... 08-09 343 .... 09-10 362 .... 10-11 379 .... 11-12 406 .... 12-13 347 .... 13-14 340 .... 14-15 270 ... 15-16 301 ... 16-17 226 .. 17-18 306 ... 18-19 164 . 19-20 142 . 20-21 159 . 21-22 183 .. 22-23 3613 ........................................... 23-24 4205 .................................................. Deliveries per hour (each dot is 45 deliveries) ----------------------------------------------- 00-01 2211 ................................................. 01-02 1439 ............................... 02-03 307 ...... 03-04 122 .. 04-05 543 ............ 05-06 860 ................... 06-07 1035 ....................... 07-08 508 ........... 08-09 703 ............... 09-10 734 ................ 10-11 758 ................ 11-12 773 ................. 12-13 688 ............... 13-14 612 ............. 14-15 513 ........... 15-16 536 ........... 16-17 367 ........ 17-18 598 ............. 18-19 316 ....... 19-20 237 ..... 20-21 338 ....... 21-22 375 ........ 22-23 1941 ........................................... 23-24 2266 .................................................. This is far to many and must be a spammer. I have tried your tips above but cannot find the account that is send the emails it just comes up with nothing. I really need help fid this person.
|
|
02-13-2006, 10:23 PM
|
|||
|
|||
|
Ok now all i get is when i run "grep 'cwd=' /var/log/exim_mainlog" is:
2006-02-14 03:16:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfv-0004tm-D4 2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004ts-Gz 2006-02-14 03:16:26 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:26 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfw-0004tt-PW 2006-02-14 03:16:26 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfw-0004ts-Gz 2006-02-14 03:16:27 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004ty-8I 2006-02-14 03:16:27 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:27 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfy-0004ty-8I 2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfy-0004u2-M2 2006-02-14 03:16:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u4-Gz 2006-02-14 03:16:28 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qfz-0004u4-Gz 2006-02-14 03:16:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qfz-0004u5-KY 2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg0-0004uA-T9 2006-02-14 03:16:30 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:30 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg0-0004uA-T9 2006-02-14 03:16:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg1-0004uB-9X 2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uG-D9 2006-02-14 03:16:31 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg2-0004uH-Fj 2006-02-14 03:16:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg2-0004uG-D9 2006-02-14 03:16:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uM-Df 2006-02-14 03:16:32 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:32 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg3-0004uM-Df 2006-02-14 03:16:33 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg3-0004uS-W1 2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uU-Bk 2006-02-14 03:16:34 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg4-0004uV-J5 2006-02-14 03:16:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg4-0004uU-Bk 2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ua-2I 2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qg6-0004ua-2I 2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qg6-0004ue-BH 2006-02-14 03:16:38 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004ug-6o 2006-02-14 03:16:38 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:38 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004ug-6o 2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004uh-GG 2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004um-QU 2006-02-14 03:16:39 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:39 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgA-0004un-RO 2006-02-14 03:16:39 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgA-0004um-QU 2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004us-KZ 2006-02-14 03:16:40 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgB-0004uw-Qv 2006-02-14 03:16:40 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgB-0004us-KZ 2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004uy-AE 2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:41 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgC-0004uy-AE 2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgC-0004v0-HD 2006-02-14 03:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v4-9p 2006-02-14 03:16:41 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:42 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004v5-CP 2006-02-14 03:16:42 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004v4-9p 2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgE-0004vF-9y 2006-02-14 03:16:43 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgD-0004vB-Tv 2006-02-14 03:16:43 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:43 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgD-0004vB-Tv 2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vK-8p 2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgF-0004vL-D7 2006-02-14 03:16:44 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgF-0004vK-8p 2006-02-14 03:16:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vN-2r 2006-02-14 03:16:44 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vR-Ah 2006-02-14 03:16:45 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vN-2r 2006-02-14 03:16:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgG-0004vT-TO 2006-02-14 03:16:45 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004vV-8c 2006-02-14 03:16:46 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgG-0004vT-TO 2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgH-0004va-WB 2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:47 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgH-0004va-WB 2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgI-0004ve-KP 2006-02-14 03:16:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vg-7n 2006-02-14 03:16:47 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vh-B3 2006-02-14 03:16:48 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vg-7n 2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgJ-0004vm-Rw 2006-02-14 03:16:48 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vo-57 2006-02-14 03:16:49 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgJ-0004vm-Rw 2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgK-0004vs-OY 2006-02-14 03:16:50 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:50 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgK-0004vs-OY 2006-02-14 03:16:50 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgL-0004vw-1n 2006-02-14 03:16:51 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004w1-7L 2006-02-14 03:16:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgM-0004vy-3p 2006-02-14 03:16:52 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:53 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgM-0004vy-3p 2006-02-14 03:16:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgO-0004w7-Cu 2006-02-14 03:16:57 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:57 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgO-0004w7-Cu 2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgP-0004wB-3A 2006-02-14 03:16:58 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wF-PC 2006-02-14 03:16:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgT-0004wE-Kn 2006-02-14 03:16:59 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:16:59 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgT-0004wE-Kn 2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wO-VO 2006-02-14 03:17:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgV-0004wL-Fn 2006-02-14 03:17:02 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:17:03 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgV-0004wL-Fn 2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgZ-0004wX-GB 2006-02-14 03:17:05 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:17:05 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgY-0004wV-T1 2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgb-0004wb-Vg 2006-02-14 03:17:07 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgb-0004wb-Vg 2006-02-14 03:17:07 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgY-0004wV-T1 2006-02-14 03:17:07 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wg-3C 2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wi-Dv 2006-02-14 03:17:08 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgd-0004wg-3C 2006-02-14 03:17:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgd-0004wh-Bi 2006-02-14 03:17:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qge-0004wm-Ba 2006-02-14 03:17:14 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:17:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1F8qgk-0004wy-KF 2006-02-14 03:17:15 cwd=/ 3 args: /usr/sbin/sendmail -t -i 2006-02-14 03:17:15 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1F8qgk-0004wy-KF There has to be something i can do? Please i need to find this person.
|
|
02-14-2006, 06:28 PM
|
|||
|
|||
|
I think you are going to have to give us some more information. Can you post a (not too huge) chunk of some of exim_mainlog that shows some of these spams being sent? Hopefully you have the logging at maximum as I suggested above.
|
 |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -5. The time now is 03:32 PM.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc
